Date: Fri, 09 Apr 1999 21:25:19 -0600 From: Wes Peters <wes@softweyr.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP Message-ID: <370EC49F.1A020B9D@softweyr.com> References: <4.2.0.32.19990409184654.045424d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote:
>
> Here's an interesting security problem that perhaps folks on this list can
> help with. I'm working with a client who does printing and computer
> graphics. He wants his customers to be able to upload graphics files via
> FTP and then allow an on-site operator to retrieve them.
>
> The customers should be able to FTP only into their own home directories
> (easy to implement via the built-in chrooting features of ftpd). The
> operator should be able to read and delete the files the users upload,
> preferably via NFS. But he shouldn't have full root privileges -- rather,
> he should have just enough privilege to work with those files.
>
> It seems to me that a good way to implement this would be to have the
> customers make their uploaded files group read/writable by a group of which
> the operator is the sole member. The operator would then mount /home via
> NFS, and would be granted only the privileges associated with his user ID
> and group. This would allow him to read and delete the files that the users
> had uploaded for him, but would not let him mess with the directory
> structure or with any files that hadn't been uploaded with the right modes
> or ownership.
>
> There are two problems, though. First of all, it appears that FTP doesn't
> have a built-in way of setting group ownership of an uploaded file. (It
> does let you set the UMASK, but there's no obvious way to say which group
> "owns" the file.) How could this be done by the FTP client? Can the
> customer give group ownership of the file to a group of which the user is
> not himself a member?
An interesting problem you have there, Brett. I can think of one quick
solution: if the ftp server is dedicated to this task, you could make
ftpd sgid to the "printer" group.
It's too bad that the exports file does not support "mapgroup" commands
orthogonal to the "maproot" command. Arbitrary user mappings might be
of value too, but I can see how they could quickly grow completely out
of reason.
> Second, I need to set up NFS so that only the operator can mount /home from
> his one machine, and only with the privileges that would be accorded to him
> if he logged onto the machine himself. We want to make this as secure as
> possible, since the customers' data may be proprietary. So, we'll want to
> restrict NFS mounts to a specific IP address and authenticate as best we
> can. (If it's REALLY necessary, we may be able have the operator use FTP,
> but this is less desirable than letting him mount the directory.)
>
> Ideas on how to solve these two problems? Any other considerations I should
> be thinking of?
I'm thinking you can probably do this by exporting the filesystem from
the ftp server ONLY to the printer's workstation, and exporting with
-mapall=printeruid:printergid. Run the ftpd as sgid printergid, so the
files end up being group owned by printergid. I'm not sure how this will
interact with being able to delete the files, but if you think along these
lines I think you can solve it without hacking {much|anything}.
Best of luck, and write back if you have specific questions. I'm a little
intrigued by this. I know several print shops around here that try, and
often fail, to have clients email them large postscript or pre-ripped print
files, and they may be able to benefit from your experience also. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?370EC49F.1A020B9D>